End point control

ABSTRACT

Systems and techniques are provided for controlling requests for resources from remote computers. A remote computer&#39;s ability to access a resource is determined based upon the computer&#39;s operating environment. The computer or computers responsible for controlling access to a resource will interrogate the remote computer to ascertain its operating environment. The computer or computers responsible for controlling access to a resource may, for example, download one or more interrogator agents onto the remote computer to determine its operating environment. Based upon the interrogation results, the computer or computers responsible for controlling access to a resource will control the remote computer&#39;s access to the requested resource.

RELATED APPLICATIONS

This application is continuation-in-part of Provisional U.S. patentapplication Ser. No. ______ entitled “Network Appliance,” naming ChrisHopen et al. as inventors and filed on Dec. 10, 2003, which provisionalpatent application is incorporated entirely herein by reference.

FIELD OF THE INVENTION

The present invention relates to the determination of access toresources on a remote server computer over a network. Various aspect ofthe invention may be used to limit access to resources on a remotecomputer based upon a user's computing environment.

BACKGROUND OF THE INVENTION

In the last decade, the use of electronic computer networks has greatlyincreased. Electronic computer networks may be found in businesses,schools, hospitals, and even residences. With these networks, two ormore computing devices communicate together to exchange packets of dataaccording to one or more standard protocols, such as the TCP/IPprotocols. Usually, one computer, often referred to as a “client,”requests that a second computer perform a service. In response, thesecond computer, often referred to as a “server,” performs the serviceand communicates the resulting data back to the first computer.

As reliance on computers has increased, the demand to access computerresources from a variety of locations has increased as well.Conventionally, for example, a business user may have accessed resourceson a corporate server through a desktop computer connected to thecorporate server by a private, secure corporate network. Now, however,that user may wish to access the same corporate resources from apersonal computer at home over a public network, such as the Internet.Still further, the user may wish to access those resources from a laptopcomputer while traveling. The connection to the corporate servercomputer might then be made over a publicly accessible wireless networkconnection in a hotel or coffee shop. In some instances, that user mayeven desire to access those corporate resources from a computer at apublic kiosk.

In addition to accessing a resource on a remote computer from a varietyof computing environments, the user may also employ a number ofdifferent communication and security techniques when accessing thoseresources. For example, a laptop provided by the same companymaintaining the desired resources may have dedicated communicationsoftware installed. It may also have sophisticated security-relatedsoftware, such as commercial anti-malware and anti-virus software. Thesame user's home computer, however, may only have some limitedsecurity-related software, such as residential anti-virus software.Also, it may communicate with the remote server computer using a browserapplication with additional “plug-in” software to enhance the browser'scommunication abilities. Still further, a computer at a public kiosk mayhave little or no security-related software, and provide only a basicbrowser software application for communicating with the remote server.Still further, a computer may access remote resources via communicationchannels secured using the Secure Socket Layers (SSL) protocol, theHypertext Transfer Protocol Secure (HTTPS) protocol (which employs theSecure Socket Layers (SSL) protocol, or the Internet Protocol Security(IPSec) protocol on another computer.

Despite this wide variety of computing environments and associatedvariety of security risks now being used to access resources on remotecomputers, actual access to resources typically is predicated only onthe user's identification. This identification may be direct, such as bycredential information personally associated with the user, or indirect,such as credential information associated with a particular computer orcopy of a software application. Thus, if a user can provide the propercredentials to authenticate his or her identity, the user can accessauthorized resources regardless of the type of resource being accessedor the security of the computing environment being used to access theresources.

BRIEF SUMMARY OF THE INVENTION

Various aspects of the invention can be employed to a user's access toresources on a remote computer based upon the computing environment ofthe computer or “end point” being employed by the user to obtain thoseresources. With some examples of the invention, for example, an analysisof the security of the user's computing environment determine whetherthe user is granted access to resources on a remote computer. Thus,authorization to access resources on a remote computer may be gradedaccording to the current security state of the user's computingenvironment.

In other examples of the invention, an analysis of the communicationsoftware available to the user's computing environment may determine howresources on a remote computer are provided to the user. With stillother aspects of the invention, a user may be provisioned with one ormore process objects in order to enhance the user's computingenvironment. For example, the user's computing environment may beprovisioned with one or more security objects deemed necessary to obtainrequested resources from a remote computer.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows one example of a conventional network.

FIG. 2 shows an example of a computing device that can be used toimplement a network appliance according to various examples of theinvention.

FIG. 3 shows an example of a server system that may be employedaccording to various examples of the invention.

FIG. 4 shows the components of policy server according to variousexamples of the invention.

FIGS. 5A-5E illustrate user interfaces that may be provided to anadministrator by a unified policy server according to variousembodiments of the invention.

FIGS. 6A-6E illustrate a flowchart describing a method of controllingaccess to a resource according to various embodiments of the invention.

FIG. 7 illustrates one technique that may be used by various embodimentsof the invention to create a post-authentication interrogator agentmanifest request according to various embodiments of the invention.

FIG. 8 illustrates a process by which a client's operating environmentis matched to the appropriate zone of trust.

DETAILED DESCRIPTION OF THE INVENTION

Overview

As will be discussed in further detail below, various embodiments of theinvention provide systems and techniques for controlling requests forresources from remote computers. More particularly, a remote computer'sability to access a resource will be determined based upon thecomputer's operating environment. With these embodiments, the computer(or computers) responsible for controlling access to a resource willinterrogate the remote computer to ascertain its operating environment.The computer (or computers) responsible for controlling access to aresource may, for example, download one or more interrogator agents ontothe remote computer to determine its operating environment. Theinterrogator agents may interrogate the remote computer regarding anycombination of static artifacts residing on the remote computer andprocess objects, including active processes and agents. The interrogatoragents may, for example, interrogate the remote computer regardingsecurity process objects, such as anti-virus agents, communicationprocess objects, such as agents used to establish or maintain a virtualprivate network, or both.

In addition to passively interrogating the remote computer, with someembodiments of the invention the computer (or computers) responsible forcontrolling access to a resource may additionally provision the remotecomputer with process objects. For example, the computer (or computers)responsible for controlling access to a resource may require a remotecomputer to have a specific portfolio of process objects in order toaccess the resource. In some embodiments, this portfolio may varydepending upon the identity of the person using the remote computer toaccess the resource. If the interrogation process determines that theremote computer does not possess the required portfolio of processobjects, then the computer (or computers) responsible for controllingaccess to the resource may provision the remote computer with themissing process objects. Some embodiments of the invention mayadditionally provision and install an installation agent to facilitatethe subsequent installation of process objects.

While various embodiments of the invention may use any number ofinterrogator agents, some embodiments of the invention will use twointerrogator agents: an interrogator agent that is employed beforeauthenticating the identity of the remote computer's user, and aninterrogator agent that is employed after authenticating the identity ofthe remote computer's user. With these embodiments, thepre-authentication interrogator agent may interrogate the remotecomputer for artifacts. Based upon the determined artifacts, thecomputer (or computers) responsible for controlling access to a resourcemay provision the remote computer with on or more process objects, suchas security process objects useful to protect the user's credentialinformation during the authentication process.

The post-authentication interrogator agent can then interrogate theremote computer for additional artifacts, process objects, or acombination of both. Depending upon the interrogation results (and anyadditional provisioning of process objects), the computer (or computers)responsible for controlling access to a resource may determine whetherthe remote computer may access that resource. Alternately oradditionally, they may determine the communication mechanism used toaccess the resource.

Client/Server Configuration

Various embodiments of the invention will typically be employed tofacilitate cooperation between a client and one or more servers. Asknown in the art, a client/server configuration (including a Web basedarchitecture configuration) occurs when a computing device requests theuse of or access to a resource from another computing device. Forconvenience and ease of understanding hereafter, requests to use,obtain, or otherwise access a resource may generically be referred tosimply as “requesting” a resource, while using, obtaining, or otherwiseaccessing a resource may generically be referred to simply as“obtaining” a resource.

Because the computing device responsible for providing the resource“serves” the computing device initially requesting the resource, thecomputing device responsible for providing the resource is oftenreferred to as a “server.” The computing device requesting the resourceis then commonly referred to as a “client.” Also, because a request forresources and the delivery of those resources may be relayed among avariety of computing devices having a client/server relationship, theclient computing device initially requesting the resource is commonlyreferred to as the “end point” client.

FIG. 1 illustrates a conventional relationship between a client 101 anda server 103. As seen in this figure, the client 101 may transmit therequest for one or more resources to the server 103 over a network 105.The network 105 may be a private network, such as an intranet, or apublic network, such as the Internet. The server 103 may then providethe client 101 with the requested resources over the network 105.

It should be noted that, as used herein, a server may be considered avirtual device rather than a physical device. For example, the functionsof the server 103 may be performed by a single computing device.Alternately, the functions of the server 103 may be performed by a groupof computing devices cooperating together. Similarly, a client may beconsidered a virtual device. That is, one or more separate computingdevices can cooperate together to function as a client. In manysituations, a client may work with multiple servers in order to obtain aresource. For example, a client may submit the request for a resource toa first server, which may then relay the request to a second server. Thesecond server may authenticate the identity of the client (or a useremploying the client), to determine whether the client should bepermitted may access or use the requested resource. Yet another servermay then actually provide the resource to the client.

As used herein, a resource may be any type of object or serviceavailable through a server. For example, the resource may be a data fileor a directory of data files. The resource may also be a service, suchas an electronic mailing service, a database service, a documentmanagement service, a remote shell or terminal service, or the like.

Example Computing Device

Various embodiments of an end point control server system according tothe invention may be implemented using electronic hardware. Moretypically, however, the various features of the invention will beimplemented by executing software instructions on a programmablecomputing device or computer. Accordingly, FIG. 2 shows one example of acomputer 201 that can be used to implement various aspects of theinvention.

The computer system 201 illustrated in FIG. 2 includes a processing unit203, a system memory 205, and a system bus 207 that couples varioussystem components, including the system memory 205, to the processingunit 203. The system memory 205 may include a read-only memory (ROM) 209and a random access memory (RAM) 211. A basic input/output system 213(BIOS), containing the routines that help to transfer informationbetween elements within the computer system 201, such as during startup,may be stored in the read-only memory (ROM) 209. If the computer system201 is embodied by a special-purpose “server application” computersystem 201, it may further include, for example, another processing unit203, a hard disk drive 215 for reading from and writing to a hard disk(not shown), a magnetic disk drive 217 for reading from or writing to aremovable magnetic disk (not shown), or an optical disk drive 219 forreading from or writing to a removable optical disk (not shown) such asa CD-ROM or other optical media.

A number of program modules may be stored on the ROM 209, the hard diskdrive 215, the magnetic disk drive 217, and the optical disk drive 219.A user may enter commands and information into the computer system 201through an input device 223, such as a keyboard, a pointing device, atouch screen, a microphone, a joystick or any other suitable interfacedevice. Of course, the computer system 201 may simultaneously employ avariety of different input devices 223, as is known in the art. Anoutput device 225, such as a monitor or other type of display device, isalso included to convey information from the computer system 201 to theuser. As will be appreciated by those of ordinary skill in the art, avariety of output devices 225, such as displays, speakers and printers,may alternately or additionally be included in the computer system 201.

In order to access other computing devices, the computer system 201should be capable of operating in a networked environment using logicalconnections to one or more remote computing devices, such as the remotecomputing device 227. The computer system 201 may be connectable to theremote computer 227 through a local area network (LAN) 229 or a widearea network (WAN) 231, such as the Internet. When used in a networkingenvironment, the computer system 201 may be connected to the networkthrough an interface 233, such as a wireless or wired network interfacecard (NIC) or similar device. While the interface 233 is illustrated asan internal interface in FIG. 2, it may alternately be an externalinterface as is well known in the art. Of course, it will be appreciatedthat the network connections shown in this figure are for example only,and other means of establishing a communications link with othercomputers may be used.

An End Point Control Server System

FIG. 3 illustrates one example of a server system 301 that may be usedto implement various embodiments of the invention. As seen in thisfigure, the server system 301 includes an access server 303, workplaceserver 305, a provisioning server 307, an end-point-control (EPC) server309, and a policy server 311. FIG. 3 also illustrates a client 313,which communicates with the access server 303 through a network 315.Typically, the network 315 will be a public network, such as theInternet. With some implementations of the invention, however, thenetwork 315 may be a private network, such a corporate or institutionalintranet. The client 313 may be implemented by any suitable computingdevice or combination of computing devices. For example, the client 313may be a programmable computer, such as the programmable computer 201described above. The computer may be, for example, a personal desktopcomputer, a laptop computer, or even a personal digital assistant or“smart” telephone.

As employed herein, the term “user” will refer to the individual usingthe client 313 (or other client) to obtain resources from the serversystem 301. For some applications of the invention, the client 313 maybe implemented on a computing device owned by its user or by the samecorporation or institution maintaining the server system 301 (or by arelated corporation or institution). With still other applications ofthe invention, the client 313 may be implemented on a computing deviceowned by a third party, and may even be provided in a publicly availablekiosk.

As will be discussed in greater detail below, the client 313 transmitsrequests to the access server 303 for the use of or access to one ormore resources provided through the workplace server 305. With variousembodiments of the invention, the client 313 may request one or moreresources from the workplace server 305 through a secure communicationchannel. For example, the client 313 may seek to establish a securecommunication channel using any desired conventional security protocol,such as the Secure Socket Layers (SSL) protocol, the Hypertext TransferProtocol Secure (HTTPS) protocol, (which employs the Secure SocketLayers (SSL) protocol), the Internet Protocol Secure protocol (IPSec),the SOCKet Secure (SOCKS) protocol, the Layer Two Tunneling Protocol(L2TP), the Secure Shell (SSH) protocol, or the Point-to-Point TunnelingProtocol (PPTP). Further, the client 313 may seek to establish a securecommunication channel using a secure remote computer connectiontechnique, such as Windows Remote Desktop, Citrix, Virtual NetworkComputing (VNC) or other “screen-scraping” technology.

The Workplace Server

It also should be noted that the workplace server 305 shown in FIG. 3 ismerely representative of any combination of servers that can provide arequested resource. Thus, the workplace server 305 may be any server orcombination of servers responsible for providing one or more resourcesto clients. For example, the workplace server 305 may be an electronicmail server, a server that maintains a database, a print server, a datastorage server, a file or document management server, a Voice overInternet Protocol (VoIP) server, a remote shell or terminal service orthe like. With some implementations, the workplace server 305 may onlybe indirectly responsible for providing requested resources. Forexample, the workplace server 305 may be a proxy server providing aconnection to another server 319 through, for example, a private network317, which will actually provide requested resources to the client 313.Thus, the resource being sought by the user over the network does nothave to be in physical or logical proximity to the workplace server 305.It also should be appreciated that the workplace server 305 may beresponsible for providing a variety of different types of resources,including any combination of data files and services.

The Access Server

The access server 303 may be any device or combination of devices thatprovides a gateway to the remainder of the server system 301 or otherresource servers 319. Typically, the access server 303 will beresponsible for establishing both secure and unsecured communicationchannels with the client 313. For example, as known in the art, theclient 313 may use an unsecured communication channel to contact theaccess server 303. The access server 303 may then respond to the client313 that the client 313 needs to establish a secure communicationchannel and the manner in which this may be done. In reply, the client313 will request that the access server 303 establish a securecommunication channel for the client 313 to obtain the requestedresource. The access server 303 can then use an encrypted communicationprotocol, to create a secure communication channel between the client313 and the server system 301.

It also should be noted that, in some applications of the invention, theclient 313 will contain special-purpose software for establishing asecure connection with the server system 301 through the access server303. For example, the access server 303 may be configured to cooperatewith software resident on the client 313 to create a Virtual PrivateNetwork (VPN) secure communication session between the client 313 andthe server system 301 using secure encryption communication protocols,such as the Secure Sockets Layer (SSL) protocol or the Internet ProtocolSecure (IPSec) protocol. With other applications, a user may employ ageneral purpose software application on the client 313, such as abrowser application, to establish a secure connection to the serversystem 301 through the access server 303. For example, a user mayattempt to employ a browser application on the client 313, such as theMicrosoft Internet Explorer or Mozilla, to access a Universal ResourceLocator (URL) address in the server system 301. The access server maytherefore be configured to use appropriate secure communicationprotocols, such as the Secure Hypertext Transfer Protocol (HTTPS), toestablish secure communication with a client 313 using such a generalpurpose software application. Accordingly, the access server 303 mayinclude multiple components or be comprised of multiple servers forhandling multiple communication techniques.

In some embodiments of the invention, the access server 303 may maintainthe secure communication channel with the client 313. With otherembodiments of the invention, however, the access server 303 may simplyestablish the secure communication channel. It may then pass offresponsibility for maintaining and administering the securecommunication channel to another server, such as the workplace server305.

The Policy Server

The policy server 311 determines the conditions under which a user ofthe client 313 may obtain the requested resources. More particularly, aswill be explained in detail below, the policy server 311 administerspolicy rules specifying the conditions under which a user may obtain arequested resource. With various embodiments of the invention, theseconditions may include both the identity of the user and the operatingenvironment of the client 313. With various embodiments of theinvention, the policy server 311 also may validate authenticationcredentials submitted by a user with a request to obtain resources fromthe server system 301.

As used herein, the term “administrator” will refer to a personauthorized to configure policy rules for enforcement by the policyserver 311.

As shown in FIG. 4, the policy server 311 includes a credentials andprofile information analysis module 401. It also includes a rule set403, and a rule configuration module 405. As will be discussed infurther detail below, the credentials and profile analysis module 401receives credential and profile information regarding a user requestingto access or use resources on the client computer 313. The credentialsand profiles analysis module 401 then compares this received informationwith rules in the rule set 403, to determine if the requested accessshould be granted. With various embodiments of the invention, thecredentials and profiles analysis module 401 may also require someaction from the client computer 313 based upon requirements specified inthe rule set 403. The rule configuration module 405 then provides theserver system administrator with a user interface for configuring andrevising rules in the rule set 403.

The access server 303 may support a variety of different communicationtechniques by which the client 313 may securely communicate with theserver system 301, as noted above. Accordingly, with various embodimentsof the invention an administrator may employ the policy server 311 toimplement a single access control policy for multiple communicationtechniques provided by the access server 303.

FIGS. 5A-5E illustrate examples of user interfaces that such a unifiedpolicy server 311 may provide to an administrator according to variousembodiments of the invention. In particular, FIG. 5A illustrates a userinterface 501 that may be provided by the policy server 311 to displayexisting rules according to various embodiments of the invention. Asseen in this figure, the user interface 501 displays a list of rules(sometimes refereed to as “access control list” (ACL) rules) that havebeen configured for controlling access to one or more resourcesaccessible through the server system 301.

The entry for each rule may include, for example, a selection check box503, a rule number 505, and an action indicator 507. The selection checkbox 503 can be used to select the associated rule in order to, forexample, delete or reorder the rule. The rule number then indicates theorder in which the rule will be evaluated. With various embodiments ofthe invention, the rule number may also serve as an edit command controlthat the administrator can activate when he or she wishes to edit therule. The action indicator then indicates the function of the rule. Forexample, a green action indicator may be used to indicate that the rulewill permit access to the associated resource for a compliant user,while a red action indicator may be used to indicate that the rule willprohibit access to an associated resource for a compliant user.

A rule may also include a description 509, a user identification 511, adestination 513, a communication method indicator 515, and a zoneindicator 517. The description indicator 509 can be used by theadministrator to provide a convenient description of the function and/orapplicability of the rule. The user indicator then indicates the usersto which the rule applies. For example, an administrator may designatethat a rule applies to one or more specific users, one or moreparticular communities, one or more particular realms, or anycombination of these. Alternately, the administrator may designate therule to be applicable to any user. The destination indicator 513 is thenassociated with the resource being controlled by the rule. With someembodiments of the invention, the destination indicator 513 may indicatethe location in the server system through which the resource may beaccessed. With still other embodiments of the invention, however, thedestination indicator 513 may identify the resource itself.

The communication method indicator 515 indicates the particular type ofcommunication method to which the rule will be applied. As will bediscussed in detail below, various embodiments of the invention providemultiple communication techniques for establishing a securecommunication session between the client 313 and the server system 301.As will be appreciated by those of ordinary skill in the art, somecommunication techniques will be more inherently secure than others.Accordingly, a rule can be configured to specify its applicability toone or more particular communication techniques. Advantageously, asdescribed herein, various embodiments of the invention allow anadministrator to designate rules for all communication techniques usinga unified set of user interfaces provided by a single rule configurationsystem. Lastly, the zone indicator indicates the zone in which theoperating environment of the client 313 must be classified in order tocomply with the requirements of the rule.

FIG. 5B illustrates a portion 519 of a user interface that may beprovided by the policy server 311 to edit or create an access controlrule for unified application over different communication techniques,according to various embodiments of the invention using the. As seen inthis figure, this user interface portion 519 includes a number control521, a description control 523, and a series of action controls 525. Thenumber control 521 is used to specify the number for the rule (i.e., theorder in which the rule will be applied to a client). The administratorcan then use the description control 523 to enter a useful descriptionof the purpose or intent of the purpose or application of the rule.

The action controls 525 allow the administrator to specify the actionthat the rule will take if a client 313 complies with the requirementsof the rule. For example, if the administrator selects the “permit”action control 525, then the client 313 will be permitted to access theassociated resource upon compliance with the rule. Similarly, if theadministrator selects the “deny” action control 525, the client 313 willbe denied access to the resource if the policy server determines thatthe client is in compliance with the provisions of the rule. Anadministrator can then select the “disabled” action control in order todisable the rule.

FIG. 5C illustrates another portion 527 of a user interface that may beprovided by a policy server 311 to allow an administrator to edit orcreate a rule according to various embodiments of the invention. Thisuser interface portion 527 includes a user group control 529A, and auser group edit command control 529B. It also includes a destinationresources control 531A and a destination resources edit command control531B. When configuring a rule, the administrator may select theindividual users, a group of users (such as a community or realm ofusers), or a combination of both to which the rule will be applied.Accordingly, the administrator may activate the user edit commandcontrol 529B to obtain a list of available users and/or groups of users.The administrator can then select from the list in order to designate aselected user or group to appear in the user control 529A.

Similarly, when configuring a rule, the administrator must designate theresource whose access will be controlled by the rule. The administratormay therefore activate the destination resource edit command control531B to obtain a list of resources available through the server system301. The administrator may then select from this list in order tospecify the resources will be included in the destination resourcescontrol 531A, to which the rule will be applied.

FIG. 5D illustrates still another portion 533 of a user interface thatmay be provided by a policy server 311 to edit or create a rule. As seenin this figure, the user interface portion 533 includes a first set ofcommunication technique selection controls 535, and a second set ofcommunication technique selection controls 537. The first set ofselection controls 535 allow an administrator to easily choose betweenapplying a rule to all supported communication techniques, or choosingto selectively apply the rule to one or more specific communicationtechniques. If the administrator chooses to apply the rule to specificcommunication techniques, the administrator can then select among thecommunication technique selection controls 537 to specify one or moreparticular communication techniques for which the rule will be applied.

FIG. 5E then illustrates a user interface portion 539 that may beprovided by various embodiments of the policy server 311 to create oredit a rule. The user interface portion 539 includes a zone selectioncontrol 541 and a zone selection edit command control 543. If theadministrator wishes the rule to apply only when the client's operatingenvironment complies with one or more particular zones of trust, theadministrator can activate the zone selection edit command control to,for example, view a list of available zones of trust that have alreadybeen defined. The administrator can then select one or more zones oftrust from this list to include those zones of trust in the zoneselection control 541. The zones of trust specified in the zoneselection control 541 will then be included in the edited or new rule.

The Provisioning Server and the End Point Control Server

The provisioning server 307 and the EPC server 309 assist the policyserver 311 to enforce the access rules. For example, the provisioningserver 307 and the EPC server 309 cooperate to interrogate the clientcomputer 313 to detect the presence of desired process objects. Further,depending upon the rules specified in the rule set 403, the provisioningserver 307 and the EPC server 309 may cooperate to install and activatedesired process objects on the client computer 313. For example, if arule requires that the client 313 have a specific portfolio of securityprocess objects installed and operational, then the provisioning server307 and the EPC server 309 may cooperate to install and activate one ormore of those security process objects on the client 313. Also, withsome embodiments of the invention, the provisioning server 307 and theEPC server 309 can determine if the client 313 is capable of executing acommunication process object that will implement a more preferred oralternate communication technique. With these embodiments, theprovisioning server 307 and the EPC server 309 may cooperate to installand activate one or more such communication process objects on theclient device 313.

The security objects may be any software such as, for example,anti-malware or anti-virus agents. As used herein, the term “malware”generally will refer to software agents or processes that are intendedto obtain information for illicit purposes. The term “virus” will thengenerally be used to refer to software agents or processes intended todamage data or obstruct the operation of the host computer. It should beappreciated, however, that these terms should not be construed aslimiting, since many software agents and processes may both obtaininformation for illicit purposes and damage data or obstruct theoperation of the host computer. The security objects may also includeclient certification agents, client integrity agents, client inventoryagents, data protection agents, patch management agents, personalfirewall agents, system audit agents, and vulnerability assessmentagents. Still further, with various embodiments of the invention, theprovisioning server 307 and the EPC server 309 can cooperate to checkfor and/or install any desired security object on the client computer313.

Security Zones

As noted above and as will be discussed in detail below, a policy rulemay determine the availability of a resource based upon the identity ofthe user and the operating environment of the client 313. In order toallow an administrator to simultaneously specify a variety of clientoperating environments for a rule, multiple client operatingenvironments may be categorized into a “zone of trust.” Accordingly, apolicy rule may specify that a user may access a resource when his orher client operating environment can be categorized into zone of trust 1or zone of trust 2, but will be refused access if his or her clientoperating environment is categorized into zone of trust 3. Anotherpolicy rule may then specify that a different user, user B, can onlyobtain that same resource if his or her client operating environment iscategorized in zone of trust 1.

Accordingly, the provisioning server 307 and the EPC server 309cooperate to interrogate a client's operating environment, and ifnecessary, to change a client's operating environment by provisioningthe client 313 with specified security objects. With various embodimentsof the invention, however, the provisioning server 307 and the EPCserver 309 may split the interrogation and provisioning process into twostages. One stage will be performed before the user authenticates his orher identity, and the second stage will then be performed after the usehas authenticated his or her identity.

This approach advantageously allows the provisioning server 307 and theEPC server 309 to ensure that the client 313 is provisioned withspecified anti-malware agents or other desired agents before theauthentication process begins. The specified anti-malware agents willthen prevent malware from illicitly obtaining the user's credentialsduring the authentication process. Moreover, by provisioning the client313 in stages, the provisioning server 307 and the EPC server 309 canavoid unnecessary provisioning steps if, for example, the user'scredentials are not accepted during the authentication process.

Various embodiments of the invention may therefore factor the clientoperating environment required before the authentication process beginsand the client operating environment required after the authenticationprocess has been completed in determining the zone of trust into whichthe client computer will be categorized. Moreover, by partitioning thecriteria for a zone of trust into pre-authentication requirements andpost authentication requirements, various embodiments of the inventioncan customize the process for determining the post authenticationrequirements based upon the user's identification obtained during theauthentication process. Accordingly, the tools employed to interrogatethe user's client regarding its operating environment can be variedbased upon the identity of the user.

The state of the client's operating environment when requesting aresource is referred to as the client's “signature.” This signature is alist of pre-existing static process objects or “artifacts” on the client313. The signature may also include processes or “agents” running on theclient 313. The information in the signature can be used to determinethe identity of the client 313.

For example, an administrator for a corporate-managed server system 301may expect all corporate-owned computers to be configured with aparticular set of artifacts and agents. Likewise, the administrator mayexpect a responsible employee to ensure that his or her personalcomputer is configured with a different set of particular artifacts andagents. On the other hand, the administrator may expect a computerprovided in a public kiosk to have only a minimal set of artifacts andagents. Accordingly, the EPC server 309 may use the signature of aclient 313 to distinguish a corporate-owned computer from a personalcomputer owned by an employee of the company from a computer at a publickiosk. The identity inherently provided by the signature may thensubsequently used to classify the client 313 into a zone.

With various embodiments of the invention, a signature definition may beconfigured as a Boolean logic expression of “literal” values thatconform to the standard Conjunctive Normal Form (CNF) (i.e. aconjunction of disjunctions). More particularly, a signature can bedefined as a group of artifact literal values associated by the logicalAND operator and one or more groups of agent literal values associatedby the logical OR operator. The group of artifact literal values is thenassociated with the group (or groups) of agent literal values by alogical AND operator. Thus, for a client operating environment to matcha particular signature, each artifact literal value must be TRUE and oneagent literal value from each group of agents literal values also mustbe TRUE.

For example, if artifact literal A=ARTIFACT, agent literal PFW=PersonalFirewall, agent literal AV=AntiVirus, agent literalCC=ClientCertification, and agent literal O=Other (for a yet to bedefined agent type), a signature definition can then be expressed as:

-   Signature=A[1] && . . . && A[n_a] && (PFW[1] | . . . | PFW[n_pfw])    && (AV[1] | . . . |AV[n_av]) && (CC[1] | . . . |CC[n_c]) && (O[1] |    . . . | O[n_o])

For various embodiments of the invention, the artifact literals mayinclude “DIR,” where the value of this artifact literal will be adirectory pathname to be found on client, “FILE,” where the value ofthis artifact literal will be a file to be found on the client, and“REGISTRY,” where the value of this artifact literal will be a KeyNameto be found in the registry of the client. The artifact literals mayalso include “PROCESS,” where the value of this artifact literal valueis a running process to be found on the client, “DOMAIN,” where thevalue of this artifact literal will be a domain of which the client is amember, and “OS,” where the value of this artifact literal will be anoperating system employed by the client.

The agent literals may include the “PFW_AGENT” literal and the“AV_AGENT” literal. The values of these agent literals will specify aparticular instance of that agent. For example, the PFW_AGENT literalvalue “ZONE_PFW” may correspond to the Personal Firewall provided byZone Labs Corporation. Thus, for a client 313 to have a signaturematching a signature definition requiring this PFW_AGENT literal value,the Personal Firewall software application provided by ZONE ALARMSCorporation must exist and be running on the client 313. The PFW_AGENTliteral value SYGATE_PFW may then correspond to the Sygate PersonalFirewall software application, while the PFW_AGENT literal value“MS_PFW” may correspond to the Microsoft Personal Firewall softwareapplication. Similarly, the AV_AGENT literal value “MCAFEE_AV” maycorrespond to the McAfee Anti-Virus software application, while theAV_AGENT literal value “NORTON_AV” may correspond to the NortonAnti-Virus software application.

It should be noted, however, that this list of possible artifact andagent literals is one possible example, and should not be consideredlimiting. Various embodiments of the invention may provide anycombination of desired artifacts and agents for inclusion in a signaturedefinition. Still further, various embodiments of the invention may evenallow an administrator to create define new artifact and agent literalsas desired. Various embodiments of the invention also may allow anadministrator to employ any combination of literal comparison operatorsin addition to the default equality comparison operator to define asignature, such as the literal comparison operators <, >, <=, >=, and!=. This permits, for example, the evaluation of the Microsoft Windowsoperating system registry entries during the authentication process.

With various embodiments of the invention, the policy server 311 maymaintain a global list of signatures. An administrator can then selectone or more signatures from this global list to define a zone of trust.While the precise configuration of the list structure will beimplementation specific, the structure of one example of such a list isprovided below.

-   -   1. GlobalListOfSignatures[0-∞]        -   a. Signature            -   i. Artifacts[0-∞]            -   ii. PersonalFirewallAgents[0-∞]            -   iii. AntiVirusAgents[0-∞]

A “zone of trust” or “zone” is an assertion of state on a client. Aspreviously noted, the client state defining a zone of trust is acombination of the static and dynamic state existing on the clientdevice prior to instantiating an authenticated secure communicationsession, (i.e., the signature), and the dynamic state added to theclient during the lifecycle of the authenticated secure communicationsession. State assertions that are added to the client 313 during theauthenticated secure communication session also are expressed asindividual literals in a zone of trust definition. Like the signaturedefinitions, a definition of a zone of trust may be created as a Booleanlogic expression of literals that conform to the standard ConjunctiveNormal Form (CNF).

With the illustrated embodiments of the invention, the definition of azone of trust will first include one or more signature literal values. Asignature literal value is true if the pre-authentication operatingenvironment of the client 313 (i.e., its signature) matches thesignature definition for that literal. The definition of a zone of trustmay be expressed as a group of compound signature literals associated bythe logical OR operator, followed by one or more groups of agentliterals associated by the logical OR operator. Because the agentliterals employed in this definition correspond to agents that areprovisioned and/or after the authentication process, these agentliterals are referred to below as “ADDED_AGENT” literals. The group ofcompound signature literals is associated with the group (or groups) ofADDED_AGENT literals by the logical AND operator. Accordingly, for aclient operating environment to match a zone, one of the values of thesignature literals must be TRUE. Also, one of the values in each groupof the ADDED_AGENT literals also must be TRUE in order for the clientoperating environment to match a zone of trust definition.

For example, if signature literal S=SIGNATURE, agent literalDP=DataProtection, agent literal CI=ClientIntegrity, and agent literalO=other (representing a yet to be defined agent type), then thedefinition of a zone may be expressed as:

-   Zone=(S[1]| . . . | S[n_s]) && (DP[1] | . . . | DP[n_dp]) && (CI[1]    | . . . |CI[n_ci]) && (O[1] | . . . | O[n_o])

The policy server 311 may provide literals for a variety of differenttypes of agents. These agents may include, for example, anti-malware oranti-Trojan agents, anti-virus agents, client certification agents andclient integrity agents. Anti-malware and anti-Trojan agents detect andprotect against key-stroke loggers, back doors, remote hick jacking,spy-ware, and other processes intended to obtain information for illicitpurposes. Anti-virus agents then detect and protect against viruses andother similar threats. Client certification agents determine theidentity of a client device through a set of heuristics and/orcryptographic certification. Client integrity agents determine theintegrity of the client device by performing multiple threat categoryfunctions rather than a single function.

The policy server 311 also may provide literals for client inventoryagents, data protection agents, and patch management agents. Clientinventory agents search for artifacts on the client. They may be used,for example, to determine the signature of the client. Typically,however, these agents will not be included in signature or zone of trustdefinition. Instead, one or more agents of this type are provisioned onthe client in advance of determining a client's signature or zone oftrust. Data protection agents protect data being used in authenticatedsecure communication sessions from being disclosed to parties other thanthe authenticated session user. Patch management agents manage clientsystem patches, in order to ensure that, where possible, security holeshave been repaired by software vendors.

Still further, the policy server 311 may provide literals for personalfirewall agents, system audit agents, and vulnerability assessmentagents. Personal firewall agents wall the client off from unauthorizednetwork traffic and the associated threats of direct client systemnetwork attack and indirect network attack. System audit agents auditthe compliance of end point security policy, while vulnerabilityassessment agents perform vulnerability scans of the client and assessits resistance to external threats.

The value of an agent will then correspond to a particular softwareapplication or other process. For example, a value of “ACC” for the dataprotection agent literal DP_AGENT will correspond to the Cache Cleanersoftware application available from Aventail Corporation of Seattle,Wash. Similarly, a value of “ASD” for the data protection agent literalDP_AGENT will correspond to the Aventail Secure Desktop softwareapplication also available from Aventail Corporation of Seattle, Wash.The value of “SSP” for the client integrity agent literal CI_AGENT willcorrespond to the Sygate Security Portal (also referred to as the SygateOn Demand product) available from Sygate Technologies of Fremont, Calif.

It should be noted, however, that this list of possible agent literalsis one possible example, and should not be considered limiting. Variousembodiments of the invention may provide any combination of desiredagents for inclusion in a zone definition. Still further, variousembodiments of the invention may even allow an administrator to createdefine new agent literals as desired. Various embodiments of theinvention also may allow an administrator to employ any combination ofliteral comparison operators in addition to the default equalitycomparison operator to define a signature, such as the literalcomparison operators <, >, <=, >=, and !=.

This permits, for example, the evaluation of operating system registryentries, such as entries in the Microsoft Windows operating systemregistry, during the authentication process.

Moreover, it should be noted that the above-described definition of azone is described with respect to embodiments of the invention thatdivide the interrogation process into a pre-authentication interrogationof the client's operating environment and a post-authenticationinterrogation of the client's operating environment. Various embodimentsof the invention may alternately define a zone with any combination ofartifact and agent literal values associated by any combination oflogical operators and comparison operators.

Various embodiments of the policy server 311 may provide a global listof zones of trust for selection by an administrator. While the preciseconfiguration of the list structure will be implementation specific, thestructure of one example of such as list is provided below.

-   -   1. GlobalListOfZones[1-∞]        -   a. Zone            -   i. Signatures[0-∞]                -   1. GlobalListOfSignatures[ordinal]            -   ii. DataProtectionAgents[0-∞]            -   iii. ClientlntegrityAgents[0-∞]

In addition to one or more zones of trust that specify a particularsignature, the list of zones also typically will include a default zonethat does not require a specific signature. Thus, if the client 313fails to match any other zone of trust, its operating environment willbe matched with this zone of trust by default. In variousimplementations of the invention, however, this zone of trust may stillrequire that the client 313 be provisioned with one or more additionalprocess objects.

With various embodiments of the invention, a user will be categorizedinto a “realm.” As used herein, a realm is any group of one more usersthat is permitted to authenticate against a specific set ofauthentication servers, such as, for example, an LDAP authenticationserver, a Radius authentication, or an Active Directory authenticationserver. In order to allow an administrator to more convenientlyassociate a user with one or more zones, various embodiments of thepolicy server 311 may provide for the use of one or more “communities.”

As used herein, a community is a group of one or more users within arealm that is associated with one or more defined zones. Thus, acommunity may be considered a subset instance of a realm authenticationand authorization name space. With some applications of the invention, acommunity definition may have some additional usefulness outside of thescope of end point control. Accordingly, only the features of acommunity definition that relate to end point control will be discussedherein.

From the perspective of the EPC server 309, a community represents aconfiguration of zones of trust in the form of a scoped list, into whicha specific authenticated user is authorized to be classified. As will bediscussed in further detail below, after a user has authenticated his orher identity, the provisioning server 307 installs a post-authenticationinterrogator agent onto the client 313, in order to ascertain moreinformation regarding the client's operating environment (e.g., toascertain the remainder of the client's signature that was notdiscovered by the pre-authentication interrogator agent). The EPC server309 can thus program this post-authentication interrogator agent with aspecific manifest of artifacts to search for on the client 313 thatcorrespond only to the zones of trust in which the user can becategorized. That is, the post-authentication interrogator agent willnot need to search for the artifacts and agents included in everydefined zone of trust; only for those zones of trust that are applicableto that user. The interrogation results returned from thispost-authentication interrogator agent is then used to classify theuser's client 313 into a specific zone of trust according to the Booleanlogic previously described.

While the precise configuration of the structure of a community will beimplementation specific, the structure of one example of a list ofrealms is provided below.

-   1. GlobalListOfRealms[1-∞]    -   a. Realm        -   i. Authentication servers [0-∞]            -   1. GlobalListOfAuthenticationServers[ordinal]        -   ii. ListOfUserCommunities[1-∞]            -   1) User Community                -   a) Members[1-∞]                -    i. User@Realm or Group@Realm                -   b) Non End Point Control Related Elements                -   c) . . .                -   d) . . .                -   e) ZoneOffrust[0-∞]                -    i. GlobalListOfZones[ordinal]                -   f) DefaultZone

Once the user of the client 313 has been authenticated and the clientoperating environment has been categorized into a zone of trust, thepolicy server 311 will determine whether the client 313 may obtain aparticular resource based upon a policy rule. With various embodimentsof the invention, the makeup and use of policy rules may have someadditional usefulness outside the scope of end point control.Accordingly, only the features of a realm definition that relate to endpoint control will be discussed herein.

From the perspective of the EPC server 309, a policy rule represents theenforcement mechanism of a zone of trust. That is, in order for theclient operating environment to be factored into a security policy, itmust be associated with a policy rule. With various embodiments of theinvention, this association is made with the use of a zone of trustliteral. More particularly, when a zone of trust literal is encounteredduring evaluation of a policy rule, the currently classified zone oftrust for the user is employed in Boolean conjunctive logic for the zoneof trust literal, and therefore factored into the security policy. Whilethe precise configuration of the structure of policy rules will beimplementation specific, the structure of one example of a list ofpolicy rules is provided below.

-   1. GlobalListOfAccess Control Lists[1-∞]    -   a. Access Control List        -   i. Non End Point Control Related Literals        -   ii. . . .        -   iii. . . .        -   iv. ZoneOfTrust[0-∞]            -   1. GlobalListOfZones[ordinal]                literal-comparison-operator CurrentClassifiedZone

It should be noted that various embodiments of the policy server 311 mayprovide for hierarchical and other forms of aggregating zones in apolicy rule definition.

Operation of the Server System

The operation of an end point control process that may be implemented bythe server system 301 according to various embodiments will now bedescribed in detail with reference to FIG. 6. In step 601, the useremploys the client 313 to request a resource available through theworkplace server 305. For example, the user may employ a browserapplication on the client 313 to provide the access server 303 with aUniversal Resource Locator (URL) associated with a desired resourceavailable through the workplace server 305. As previously noted, thisinitial request may be submitted via an unsecured communication channel.

In response, the access server 303 performs an authorization check ofthe communication with the policy server 311 in step 603. If thecommunication is part of an existing authenticated communication session(and the end point control process thus has already been performed forthe client 313), the remainder of the end point control process may beskipped. Likewise, if the requested resource does not requireauthentication or end point control (e.g., it is a publicly availableresource), then again the remainder of the end point control process maybe skipped and the client 313 allowed to obtain the requested resource.

If, however, a secure communication session has not been initiated andthe requested resource is not a public resource, then the access server303 transfers control of communications with the client 313 to theprovisioning server 307, so that the provisioning server 307 may beginthe pre-authentication interrogation of the client 313. Accordingly, instep 605, the provisioning server 307 downloads the pre-authenticationinterrogator to the client 313. If the pre-authentication interrogatoris successfully installed, then the pre-authentication interrogator willtransmit a report of the client's operating environment back to the EPCserver 309. With some embodiments of the invention, thepre-authentication interrogator may also send a message to the EPCserver 309 confirming its successful information. The interrogationreport may include information regarding artifacts on the client 313,such as its operating system name and version, whether the browsersupports the Java programming language, and the like.

The pre-authentication interrogator agent may be, for example, a Javaapplet that can be installed and activated through the browser withoutbeing blocked by any security features of the client 313. Thepre-authentication interrogator agent requires no input, and returnsvarious data to the provisioning server 307. The pre-authenticationinterrogator agent is used by the server system 301 to determineartifacts on the client 313, in order to select the kind ofpost-authentication interrogator to employ to complete the determinationof artifacts and agents. In addition, the provisioning server 307 mayuse the information provided by the pre-authentication interrogatoragent to facilitate provisioning of additional agents on the client 313.

The fundamental data structure used to communicate interrogation resultsbetween the provisioning server 307 and the pre-authenticationinterrogator agent is the pre-authentication interrogator agentartifacts schema. This data structure is a fixed set of elements thatthe pre-authentication interrogator agent populates and sends to theprovisioning server 307. While the precise configuration of thestructure of schema will be implementation specific, various examples ofelements that may be employed in the schema may include operating systeminformation for the client 313, such as the operating system name,version, most recent service pack, and build, and the client's processortype. The elements may also include information regarding the browserbeing used to access the resources, such as the browser name, andversion, the version of JavaScript supported by the browser, the venderand the version of Java supported by the browser. Still further, theschema elements may include the local (human) language used by theclient 313, the size of the monitor employed by the client 313, and anyother desired environmental information that may be accessible by thepre-authentication interrogator agent.

With various embodiments of the invention, the pre-authenticationinterrogator agent will obtain the information to populate the artifactsschema from conventionally available sources on the client 313. Forexample, if the client 313 is employing the Microsoft Internet Explorerbrowser application available from Microsoft Corporation of Redmond,Wash., then the pre-authentication interrogator agent may obtain theinformation from the Document Object Model of the browser. It should benoted that other methods well known in the art can alternately oradditionally be used to determine information to populate the artifactsschema, such as the availability of Active-X or Java, if thepre-authentication interrogation of the client environment does notreport on them. Once the schema is populated, the pre-authenticationinterrogator agent may then report the schema back to the EPC server 307using, for example, a cookie.

The provisioning server 307 then transfers control to the EPC server309, so that the EPC server 309 can process the results provided by thepre-authentication interrogator. In step 607, the EPC server 309determines whether it has received an interrogation report from thepre-authentication interrogator installed on the client 313. If it didnot receive an interrogation report, then the EPC server 309 mayterminate communications with the client 313. If the EPC server 309 didreceive an interrogation report, then in step 609 the EPC server 309determines which process objects, if any, should be downloaded to theclient 313. More particularly, based upon the information obtained bythe pre-authentication interrogator agent, such as the operating system,processor, Java runtime, and Active-X runtime used by the client 313,the EPC server 309 identifies various security objects that should beinstalled on the client 313.

For some client configurations, the administrator may not require anyprocess objects to be downloaded to the client. For example, if theclient 313 is employing an operating system that is an infrequent targetof malware (such as the Macintosh operating system provided by AppleComputers), then the EPC server 309 may determine that no processobjects should be downloaded to the client 313. If, however, the client313 is employing an operating system that is a frequent target ofmalware (such as the Microsoft Windows operating system available fromMicrosoft Corporation of Redmond, Wash.), then the EPC server 309 mayidentify one or more security process objects that should be downloadedto the client 313. As discussed in detail above, these process objectsare downloaded before the authentication process is started.Accordingly, the administrator may desire that security process objects,such as anti-malware agents, be downloaded to the client 313 to betterprotect the confidentiality of the user's credentials during thesubsequent authentication process.

Accordingly, in step 611, the provisioning server 311 downloads anyprocess objects designated by the EPC server 309 to the client 313. Ifthe process objects downloaded to the client 313 were successfullyinstalled and operating, they will transmit a communication reportingtheir successful installation to the EPC server 309. Thus, in step 613,the EPC server 309 checks to confirm that the downloaded process objectswere successfully installed. If they were not, then the EPC server 309may terminate communications with the client 313. If the downloadedprocess objects were successfully installed, however, then the EPCserver 309 transfers control of communication with the client 313 to thepolicy server 311 to authenticate the user.

Accordingly, in step 615, the policy server 311, requests credentialinformation from the user, and subsequently authenticates the user instep 617. If the user fails to authenticate, then communications withthe client 313 are terminated. If the user is successfullyauthenticated, then control over the communication with the client 313is transferred back to the EPC server 309 in order to perform thepost-authentication portion of the end point control process.

During the authentication process, the user will identify himself orherself, either directly or indirectly, as a member of a community or arealm. Accordingly, in step 619, the EPC Server determines which zonesof trust, if any, are configured for the community or realm for whichthe user is an authenticated member. If one or more zones of trust areconfigured for the user's community (or realm), then, in step 621, theprovisioning server 307 downloads an end point installer agent to theclient 313. If a zone of trust was not configured for the user'scommunity (or realm), then the process proceeds to step 629.

As noted above, various embodiments of the invention may allow a user torequest a resource using a variety of different communicationtechniques. Moreover, as will be discussed in more detail below, someembodiments of the invention may even provision the client 313 withcommunication process objects necessary to switch communicationtechniques while requesting a resource, thereby enabling the client 313to employ the most convenient or beneficial communication techniqueavailable to obtain the resource. In order to allow the client 313 toswitch communication techniques without having to reauthenticate theuser, these embodiments of the invention may provide the client 313 witha set of authentication credentials confirming that the user's identityalready has been authenticated by the policy server 309.

For example, some embodiments of the invention may create a cookie onthe client 313 that includes authentication information confirming thatthe user's identity already has been authenticated by the policy server309. Because this authentication information may be universal for thedifferent communication techniques provided by the server system 301,the client 313 will not have to resubmit the user's credentials in orderto establish a secure communication channel after switching to adifferent communication technique.

The end point installer agent is used to facilitate the subsequentprovisioning of process objects on the client 313. Accordingly, the endpoint installer agent will be an agent configured to work with theclient's operating environment to reliably install specified processobjects onto the client 313. As previously noted, a client may employ abrowser application, such as the Microsoft Internet Explorer browserapplication, to communicate with the server system 301. Accordingly,various embodiments of the invention will employ an end point installeragent compatible with the Microsoft Internet Explorer browserapplication.

For example, some embodiments of the invention may employ an end pointinstaller agent implemented as an ActiveX control. Depending upon theuser's privileges for installing new software applications on the client313, the browser may install the end point installer agent onto theclient directly from a .cab file downloaded from the provisioning server307. If the user does not have sufficient privileges to install ActiveXcontrols, various embodiments of the invention may employ additionalprocesses to facilitate the installation of the end point installeragent.

Thus, if the client 313 is employing the Microsoft Windows operatingsystem available from Microsoft Corporation of Redmond, Wash., someembodiments of the invention may also download a Java applet, referredto as an end point loader, to facilitate the download and installationof the end point installer agent. The end point loader will download a.cab for the end point installer agent file, and then use the JavaNative Interface (JNI) to extract the cab file into, for example, one ormore .dll and .inf files and instantiate the end point installer agent.The end point loader will then instruct the end point installer agent toregister itself with the operating system. When this process isemployed, however, the end point installer agent is configured toregister itself in the “users” portion of the Microsoft Windows COMregistry instead of the “system” portion of the Microsoft Windows COMregistry where ActiveX controls typically are registered, therebyallowing the end point installer agent to install and run regardless ofthe user's installation privileges.

Various embodiments of the invention may use a variety of techniques toavoid obstructions presented by the security protections of differentoperating systems. For example, when updated with the Microsoft WindowsService Pack 2, the Microsoft Windows operating system may not allow auser to install an Active X control without requiring the user toacknowledge an additional prompt. To avoid requiring the user tospecifically acknowledge this prompt, various embodiments of theinvention may employ JavaScript programming to acknowledge the promptand complete the installation of the end point installer agent. For aclient 313 that does not employ the Microsoft Internet Explorer browserapplication, various embodiments may employ similar Java-based or othersoftware language-based end point installer agents.

Once the end point installer agent is installed, it will then acceptinstructions from the provisioning server 307. When the provisioningserver 307 desires to install a process object, it may instruct the endpoint installer agent to download one or more process components fromthe provisioning server 307. For example, the provisioning server 307may send the end point installer agent HTTP format instructions toinstall components located at the provisioning server 307. The end pointinstaller agent will obtain an .inf file for the components, which liststhe required pieces of components, and the version information for thecomponents. The end point installer agent will then compare the versioninformation in the downloaded file with version information for anycorresponding components already present on the client 313.

If the version information indicates that the resident components arenewer, the end point installer agent will then enter this determinationand any associated information into a log, and discontinue theinstallation process. If, however, the end point installer agentdetermines from the version information that the components on theprovisioning server, it will request the new components from theprovisioning server and install them. The network-intense download ofcomponents is thus performed only when required. More particularly, itwill rename the resident components, install the newly obtainedcomponents, and then delete the renamed components (e.g., marks them fordeletion upon rebooting of the client 313). This ensures that some formof the components can be salvaged for use by the client 313 if theinstallation process fails. With various embodiments of the invention,the end point installer agent will only install components that have averifiable signature confirming their authenticity from trusted source.

With some embodiments of the invention, the end point installer agentwill keep a record of files that it installs, and has the capability ofsubsequently uninstalling all these files in a single operation, so thatall of these file can be subsequently uninstalled at the conclusion ofthe communication session. For example, if the process object isinstalled through various browser software applications, the browser mayprovide a feature to uninstall specified processes. For process objectsinstalled via the end point loader or the Java native interface, anuninstaller agent may be installed with the end point installer agent.This uninstaller agent can then uninstall all previously loaded processobjects. This may be done by specific prompt, or by automatic detectionof end of communication session.

Next, in step 623, the EPC server 309 creates an interrogation manifestrequest based upon the zones configured for the user's community orrealm. One example of how this interrogation manifest request may becreated will be discussed with reference to FIG. 7. More particularly,FIG. 7 illustrates one technique that may be used by various embodimentsof the invention to create a post-authentication interrogator agentmanifest request according to various embodiments of the invention. Asseen in this figure, in step 701 the EPC server 309 initially selectsthe next available realm from among the list of all available realms. Ifthere are no further realms to select, then the EPC server 309 concludesthat the manifest request creation process is completed. If, however,there is a realm remaining in the list of available realms, in step 703the EPC server selects the next available user community in the realm.If there is no remaining user community available for the realm, thenthe process returns to the step 701. If, however, there is a usercommunity in the realm that has not yet been processed, in step 705 theEPC server 309 creates a literal graph for that user community.

Next, in step 707, the EPC server will obtain the next available zone inthe list of zones associated with the user community. If there are nofurther zones listed for that user community, then the process returnsto step 705. Otherwise, the EPC server 309 will obtain the firstsignature listed for the current zone. If there are no further availablesignatures, then the EPC server will return to step 707 to obtain thenext available zone for the user community. If, however, a signature isavailable for analysis, then in step 711 the EPC server 309 will obtainthe first literal specified in the definition of that signature. Ifthere is no remaining literal designated for the signature, then theprocess returns to step 709, where the EPC server 309 will obtain thenext available signature for the current zone. If however, there isanother literal specified for the signature, then in step 713 the EPCserver determines whether the literal is unique to the current literalgraph for the user community. If it is, then in step 715, the literal isadded to the graph, and the EPC server 309 obtains the next literal forthe signature. Otherwise, the process simply returns directly to step711.

In this manner, each literal for each signature making up each zone foreach user community in all available realms are identified and a graphis created for each zone of each user community. When a user isidentified as being a member of a user community, the EPC server 309 canthen simply identify the appropriate graphs for that user community, andincorporate the graph into a manifest request for processing by thepost-authentication interrogator agent.

After the EPC server 309 creates an interrogation manifest request, instep 625, the provisioning server 307 downloads and installs thepost-authentication interrogator with the manifest request onto theclient 313. More particularly, after the installer agent has beeninstalled on the client 313, the provisioning server 307 sends a messageto the installer to instantiate the post-authentication interrogatoragent. The message may be, for example, an HTML message. This messagemay also include, for example, a URL identifying a configuration filecontaining the manifest request.

This configuration file may use, for example, the Microsoft Windows .inifile format.

As will be discussed in detail below, the configuration file willinclude commands for the post-authentication interrogator to search forspecific artifacts or process objects. For example, it may includecommands instructing the post authentication interrogator to look for aspecified file, directory, running process, registry key, registry valueor data, whether a specific personal firewall is running, user domains.

This information may be obtained through conventional operating systemapplication programming interfaces (APIs), or through APIs specificallymade available by third parties, such as the providers of a processobject.

The manifest request may use Hash Message Authentication Code (HMAC)signing techniques to ensure that information contained in the manifestrequest (or in the manifest response) is not forged by a third party forillicit uses. Also, to ensure security, queries in the manifest requestmay be formulated as questions prompting specific prior known answersrather than open ended questions, as open-ended questions could beviewed as a privacy threat if abused by the server administrator viaclever signature definitions. For example, wildcard queries may beprohibited from the manifest request to prevent disclosure ofinformation beyond that needed for evaluation of access control andauthentication of the user session.

With various embodiments of the invention, the fundamental datastructure that may be used to exchange data between the EPC server 309and the post-authentication interrogator agent is the interrogationmanifest. Unlike the pre-authentication interrogation manifest, thepost-authentication interrogation manifest includes a variable number ofquestions in the form of literals sent from the EPC server 309 to thepost-authentication interrogator agent in the manifest request, andanswers added to the literals on responses sent back to the EPC server309 by the post-authentication interrogator agent. The followingpresents an abstract definition of this manifest, but it should be notedthat different embodiments of this structure will be implementationspecific.

1. Individual Generic Queries

These literals have no input and are answered with values pertaining tothe literal. There may be 0-1 occurrences per literal present in themanifest.

-   -   a. Literal=User Privilege        -   i. Input=None        -   ii. Output=Admin|Power User|Restricted User    -   b. Literal=MAC Addresses        -   i. Input=None        -   ii. Output=List of MAC addresses    -   c. Literal=Link Speed        -   i. Input=None        -   ii. Output=Kbps of SSL VPN link    -   d. Literal=User Home Directory        -   i. Input=None        -   ii. Output=User Home Directory    -   e. Literal=System Directory        -   i. Input=None        -   ii. Output=User Home Directory    -   2. Individual Specific Queries

These literals all have input that is interpreted as an equalityexpression. There may be 0-∞ occurrences per literal present in themanifest.

-   -   a. Literal=File        -   i. Input=Leaf Path Name        -   ii. Output=TRUE if found, else FALSE    -   b. Literal=Directory        -   i. Input=Intermediate Path Name        -   ii. Output=TRUE if found, else FALSE    -   c. Literal=Process        -   i. Input=Process Name [AUTHENTICODE CHECK]        -   ii. Output=TRUE if running and if required, authenticode            verified, else FALSE    -   d. Literal=Registry (WIN-ONLY)        -   i. Input=Key Name [Value [Data]], Literal Comparison            Operator        -   ii. Output=TRUE if Key Name present, and if present, Value            and Data match Literal Comparison Operator, else FALSE    -   e. Literal=User Domain        -   i. Input=WINS_DOMAIN|DNS_DOMAIN        -   ii. Output=TRUE if user is logged into domain, else FALSE    -   f. Literal=Machine Domain        -   i. Input=WINS Name|DNS Name        -   ii. Output=TRUE if client device is a domain member, else            FALSE            3. Set Individual Keyword Queries

These literals all have input that is interpreted as described by theoutput. There may be 0-1 occurrences per literal in the set.

-   -   a. Literal Set=ZONE_PFW|Sygate_PFW|MS_PFW        -   i. Input=None        -   ii. Output=TRUE if firewall running, else FALSE; for each            keyword present in the set    -   b. Literal Set=McAfee_AV|Nortal_AV        -   i. Input=None        -   ii. Output=TRUE if AV running, else FALSE; for each keyword            present in the set    -   c. Literal Set=CONNECT, BET, ODX, ODJ, NG        -   i. Input=None.        -   ii. Output=NOT_INSTALED, or INSTALLED, or RUNNING; for each            keyword present in the set

After it has been installed on the client 313, the post-authenticationinterrogator examines the operating environment of the client 313,looking for artifacts and process objects specified in thepost-authentication interrogator manifest request. It then reports backits findings via a post-authentication interrogator manifest response tothe EPC server 309 in step 627. For example, the post-authenticationinterrogator may create an XML file containing the interrogationresults, and post these results back to the EPC server 309.

Based upon the information returned by the post-authenticationinterrogator agent, the EPC server 309 will classify the client'soperating environment into a zone of trust in step 629. This processwill be described in more detail with reference to FIG. 8.

FIG. 8 illustrates a process by which a client's operating environmentis matched to the appropriate zone of trust. As seen in this figure, instep 801, the policy server 311 obtains the next available zone of trustfrom the list of all zones of trust associated with the user'scommunity. If there are no further zones of trust available for theuser's community that have not already been analyzed, then the policyserver 311 classifies the client's operating environment in the defaultzone of trust. If, however, there is an available zone of trust in theuser's community that has not been analyzed, the next availablesignature for the zone of trust is obtained in step 803.

If there are no further signatures in the definition of the current zoneof trust, then the process returns to step 801. Otherwise, the policyserver 311 obtains the next the next available literal in the obtaineddevice profile in step 805. If there are no further literals in thesignature, then the operating environment of the client 313 iscategorized into the current zone. Otherwise, the obtained literal iscompared with the corresponding state of the client's operatingenvironment. If the value of the literal is true for the currentoperating environment, then the process returns to step 805 to examinethe next literal available in the signature. If, however, the value ofthe literal is not true for the client 313, then the process returns tostep 803 to obtain the next available signature for the current zone.

Next, in step 631, the policy server 311 may provision the client 313with any suitable with communication process objects that will enablethe client 313 to employ an alternate communication technique forcommunicating with the server system 313. As previously discussed,various embodiments of the invention may provide different communicationtechniques for securely communicating with the server system 301, andsubsequently obtaining resources from or through the server system 301.

For example, some embodiments of the invention will accommodate onecommunication technique employing a conventional browser. Variousembodiments of the invention may alternately or additionally accommodateanother communication technique employing the Microsoft Windows InternetExplorer browser where the communication functionality has been enhancedby an ActiveX control. These embodiments of the invention may furtheraccommodate a communication technique implemented by a Java-enabledapplication that is specifically configured for securely communicatingwith the server system 301. Still further, various embodiments of theinvention may accommodate a communication technique implemented by aspecial purpose software application that works with the client'soperating system. For example, some embodiments may support acommunication technique implemented by a software application that is aclient of the Microsoft Windows operating system provided by MicrosoftCorporation of Redmond, Wash.

As will be appreciated by those of ordinary skill in the art, in somesituations, one communication technique may be preferable to anothercommunication technique. For example, if a client 313 is employing theMicrosoft Windows operating system, the user may obtain more effectivecommunication with the server system 301 by employing a special purposesoftware application than by using a browser application to communicatewith the server system 301. On the other hand, if the client 313 is notemploying the Microsoft Windows operating system, then a special purposesoftware application which requires the Microsoft Windows operatingsystem to run would not be useful for communication with the serversystem 301. Instead, the user would be better served using acommunication technique implemented by a Java-enabled application,

Accordingly, various embodiments of the invention may provision a client313 with communication process objects that will enable the client 313to employ a communication technique most suitable to the client'soperating environment. More particularly, these embodiments of theinvention may employ the information obtained from one or moreinterrogator agents to determine which communication techniques can besupported by the client 313. The provisioning server 313 can thenprovision the client 313 with the communication process objects toimplement one or more of these communication techniques.

For example, the provisioning server 307 may determine from the client'ssignature whether the client 313 is employing the Microsoft Windowsoperating system. If the client 313 is employing the Microsoft Windowsoperating system, then the provisioning server 307 may download andinstall a software application that is a client of the Microsoft Windowsoperating system to establish a secure connection with the server system301. Similarly, the provisioning server 307 may determine from theclient's signature whether the client 313 is Java enabled and, if it is,then the provisioning server 307 may download and install a Java-basedsoftware application to establish a secure connection with the serversystem 301. Still further, the provisioning server 307 may determinefrom the client's signature whether the client 313 is employing theMicrosoft Internet Explorer browser and will allow the installation ofActiveX controls. If it does, then the provisioning server 307 maydownload and install an ActiveX control to help the Microsoft InternetExplorer browser establish a secure connection with the server system301.

With various embodiments of the invention, the provisioning server 307may provision the client 313 with communication process objects in thismanner according to any desired criteria. For example, the provisioningserver 307 may provision the client 313 with every communication processobject that the client 313 will support. Alternately, the provisioningserver 307 may provision the client 313 with a communication processobject based upon a preset hierarchy, or based upon heuristicsaccounting for communication process objects already installed on theclient 313. It also should be noted that, if the end point installeragent was not previously installed during step 621, it may be installedat this point to facilitate the installation of the communicationprocess objects.

In step 633, the EPC server 309 determines whether the client 313 shouldbe provisioned with any additional security process objects based uponthe zone of trust into which the client 313 has been classified. Inaddition to specifying artifacts and process objects that must beresident on the client 313 in order to be classified in the zone oftrust, the definition of the zone of trust may also require thatadditional process objects, such as additional security process objects,be installed on the client 313 in order for the client to remainclassified in that zone of trust. Accordingly, the provisioning server307 will provision the client 313 with any additional security processobject required by the EPC server. It should be noted that, if the endpoint installer agent was not previously installed during step 621, itmay be installed at this point to facilitate the installation of theadditional security process objects.

After being installed on the client 313, the additional security processobjects may report the results of their successful installation to theprovisioning server 307. Accordingly, the provisioning server 307 willconfirm that the required additional security process objects wereproperly installed on the client 313. Upon successful installation,these additional security process objects report back their securitystatus to the EPC server 309. If one or more of the additional securityprocess objects were not properly installed or failed to report positivestatus to the EPC server 309, then the server system may discontinuecommunicating with the client 313. Alternately, various embodiments ofthe server system 301 may attempt to remediate the classification of theclient 313 into another zone of trust that does not require installationof the additional security process objects.

Lastly, in step 635 the EPC server 309 may asynchronously andperiodically revalidate the state of the client's operating environment,For example, the EPC server 309 may periodically request that thepost-authentication interrogator verify the compliancy state of agentsassociated with the current zone of trust. It then proceeds tore-classify the zone of trust, where a zone of trust change may occurdue to the current compliancy state of the client device.

Conclusion

It should be noted that, while particular examples of the invention aredescribed in detail above, there are numerous variations andpermutations of the invention. For example, some embodiments of theinvention may employ zones of trust without regard to the user'sidentity. Thus, all clients may be assigned the same set of zones oftrust, regardless of the identity of their individual users. Byemploying these embodiments, an administrator can ensure that allclients have an operating environment that meets minimum securityrequirements.

Still further, various embodiments of the invention may employ a singleinterrogator agent. With some of these embodiments, the singleinterrogator agent may interrogate the client 313 to obtain its entiresignature before the authentication process. Other of these embodimentsmay deploy the single interrogator agent after the authenticationprocess. Of course, still other embodiments of the invention may employany desired number of interrogator agents to ascertain the client'soperating environment.

Additionally, various embodiments of the invention may perform some taskassociated with a zone of trust when a client is classified into thatzone of trust. For example, the server system 301 may log the client 313off of a secure communication session if the client 313 is assigned azone of trust associated with this command. Of course, any desiredcommand to be enacted by the server system 301 or one of its componentscan be associated with a zone of trust being assigned to a client 313.

It also should be noted that, while various connections have beendescribed above, unless otherwise expressly indicated these connectionsshould be considered to include both direct connections between twoelements or indirect connections that may include any number ofintermediate elements between the connected elements. Further, whilevarious functions have been ascribed to one or more components ofparticular embodiments of the invention (such as servers), variousembodiments of the invention may collect or redistribute these functionsin any desired configuration. For example, a single server may be usedto implement the functionality of both the provisioning server 307 andthe EPC server 309 described above. Alternately, some embodiments of theinvention may provide three or more servers to perform thatfunctionality. Still further, various functions ascribed to a particularserver may be implemented in different embodiments of the invention byanother server. For example, with some embodiments of the invention, oneor more of the functions of the EPC server 309 may be performed by thepolicy server 311 and vice versa in alternate embodiments of theinvention.

While the invention has been described with respect to specific examplesincluding presently preferred modes of carrying out the invention, thoseskilled in the art will appreciate that there are numerous variationsand permutations of the above described systems and techniques that fallwithin the spirit and scope of the invention as set forth in theappended claims. For example, while particular software services andprocesses have been described as performing various functions, it shouldbe appreciated that the functionality of one or more of these servicesand processes may be combined into a single service or process, ordivided among additional services and processes.

1. A method of determining an operating environment of a remotecomputer, comprising: installing an interrogator agent onto the remotecomputer; and receiving interrogation results produced by theinterrogator agent.
 2. The method recited in claim 1, wherein theinterrogator agent is installed onto the remote computer without thecooperation of a user of the remote computer.
 3. The method recited inclaim 1, further comprising assigning a zone of trust to the remotecomputer based upon the interrogation results produce by theinterrogator.
 4. The method recited in claim 3, further comprising:determining one or more process objects required for the zone of trustassigned to the remote computer; and installing the one or moredetermined process objects onto the remote computer.
 5. A method ofcontrolling an end point computer's access to a resource, comprising:receiving a request for a resource from a remote computer; in responseto receiving the request, installing a first interrogator agent onto theremote computer; receiving first interrogation results produced by thefirst interrogator agent; identifying one or more security processobjects corresponding to the received interrogation results; installingthe identified security process objects onto the remote computer;authenticating an identity of a user of the remote computer; afterauthenticating the identity of the user of the remote computer,installing a second interrogator agent onto the remote computer;receiving second interrogation results produced by the secondinterrogator agent; and based upon the first interrogation results andthe second interrogation results, assigning the remote computer a zoneof trust; and determining whether the remote computer can access therequested resource based upon the assigned zone of trust.
 6. The methodrecited in claim 5, further comprising: identifying one or more securityprocess objects required by the assigned zone of trust; and installingthe identified one or more security process objects onto the remotecomputer;
 7. The method recited in claim 6, further comprising:determining if the identified one or more security process objects areproperly operating on the remote computer, and if the identifiedsecurity process objects are properly operating on the remote computer,allowing the remote computer to obtain the requested resource, and ifone or more of the identified security process objects is not properlyoperating on the remote computer, refusing to allow the remote computerto obtain the requested resource.
 8. The method recited in claim 5,further comprising assigning the zone of trust based upon the identityof the user.
 9. A method provisioning resources to a remote computer,comprising: creating at least one rule identifying a remote computeroperating environment, and one or more process objects to be provisionedonto the remote computer in response to a request from the remotecomputer for a resource.
 10. The method recited in claim 9, furthercomprising: creating the rule to further require that the user of theremote computer have a specific identity before provisioning the one ormore process objects onto the remote computer.
 11. A method ofprovisioning a remote computer, comprising: receiving a communicationfrom a remote computer; installing at least one interrogator agent ontothe remote computer; receiving interrogation results produced by the atleast one interrogator agent; based upon the interrogation results,identifying one or more process objects that may be supported by anoperating environment of the remote computer; and installing the one ormore process objects onto the remote computer.
 12. The method recited inclaim 11, wherein the process objects are communication process objects.13. The method recited in claim 12, wherein the communication from theremote computer employs a first communication technique; and at leastone of the communication process objects implements a secondcommunication technique different from the first communicationtechnique.
 14. The method recited in claim 11, further comprisinginstalling an end point installer to facilitate subsequent installationof the process objects.
 15. A method of performing an activity basedupon an operating environment of a remote computer, comprising:installing an interrogator agent onto the remote computer; and receivinginterrogation results produced by the interrogator agent; assigning azone of trust to the remote computer based upon the interrogationresults produce by the interrogator; and performing an action associatedwith the zone of trust.
 16. The method recited in claim 15, wherein theaction is to log the remote computer off of a secure communicationsession.
 17. A server system, comprising: an access server that receivescommunications from a client computer; a provisioning server thatinstalls at least one interrogator agent onto a client computercommunicating with the access server; an end point control server thatanalyzes interrogation results provided by the at least one interrogatoragent, and assigns a zone of trust to the client computer based upon theinterrogation results provided by the at least one interrogator agent.18. The server system recited in claim 18, further comprising: a policyserver implementing rules for associating a zone of trust with anoperating environment of a client computer.